Individual risk assessment: Comments and recommendations by the NBB
The requirement to adopt a risk-based approach for the prevention of ML/FT, the basis of which is laid down in Article 7 of the Anti-Money Laundering Law, is one of the key elements in the FATF Recommendations as revised in 2012 and in Directive 2015/849. At the Belgian level, this requirement has inter alia resulted, with regard to the preventive measures to be implemented by obliged entities, in the obligation to perform a dual risk assessment, namely:
- an overall assessment of the risks to which they are exposed (“business-wide risk assessment"), in accordance with the provisions of Articles 16 and 17 of the Anti-Money Laundering Law on the one hand, and of Title 2 of the Anti-Money Laundering Regulation of the NBB on the other hand (see the page “Risk-based approach and overall risk assessment”); and
- an assessment of the risks associated with each business relationship or occasional transaction (see below).
In accordance with Article 19 of the Anti-Money Laundering Law, any decision to enter into a business relationship or to carry out the proposed transaction, or on the nature and intensity of the due diligence measures referred to in the said Article (see point 2.3 below) and applied by an obliged entity should, from now on, be based on an assessment of the ML/FT risks associated with each business relationship or occasional transaction. This so-called “individual risk assessment” is a central component of the new Anti-Money Laundering Law and constitutes an instrument that, in conjunction with the overall risk assessment, should enable financial institutions to identify, adequately manage or, where appropriate, limit the ML/FT risks to which they are exposed, and to optimise the allocation of their resources.
A risk-based approach therefore implies gaining in-depth and up-to-date knowledge and an understanding of the ML/FT risks to which the institution is objectively exposed, taking into account its activities and the manner in which they are performed (type of customers, geographical area...), and of the ML/FT risks associated with each business relationship, taking into account the different transactions carried out by the customer concerned in the context of this relationship, or with each occasional transaction.
2.1. Individual risk assessment
The individual ML/FT risk assessment requires these risks to first be identified and then assessed.
In accordance with Article 19, § 2, of the Anti-Money Laundering Law, when identifying the ML/FT risks linked to a business relationship or occasional transaction, financial institutions should at least take into account:
- the overall risk assessment, performed beforehand in accordance with Article 16 of the Anti-Money Laundering Law and all elements taken into account in the context of this overall assessment. This includes, in particular:
- the variables set out in Annex I of this Law,
- the factors indicative of a potentially higher risk, as referred to in Annex III of the same Law, and possibly those indicative of a potentially lower risk, as referred to in Annex II,
- but also the relevant conclusions of the report drawn up by the European Commission and the national risk assessment, ESA risk factor guidelines, etc. (see the reference documents mentioned on the page “Risk-based approach and overall risk assessment”);
- the characteristics of the customer and of the business relationship or occasional transaction concerned. The financial institution should take account of all information collected while fulfilling its due diligence obligations, such as information on:
- the identity of the customer, his agents and his beneficial owners,
- the customer's characteristics and the purpose and nature of the business relationship or the occasional transaction,
- and all other information collected as part of its due diligence on business relationships and occasional transactions.
As soon as they have an overall view of the ML/FT risk factors they have identified, financial institutions can determine the ML/FT risk level associated with the intended business relationship or occasional transaction. This could be done by assigning a score to each of the risk factors identified and combining these scores to determine the level of ML/FT risk. As highlighted in the ESAs Risk Factor Guidelines of 4 January 2018 (p. 16, paragraphs 36 and 37), when obliged entities weight risk factors in this way, they “should make an informed judgement about the relevance of different risk factors in the context of a business relationship or occasional transaction. (...) for example, firms may decide that a customer’s personal links to a jurisdiction associated with higher ML/TF risk is less relevant in light of the features of the product they seek”. Moreover, they also stress that “the weight given to each of these factors is likely to vary from product to product and customer to customer (or category of customer) and from one firm to another. When weighting risk factors, firms should ensure that:
- weighting is not unduly influenced by just one factor;
- economic or profit considerations do not influence the risk rating;
- weighting does not lead to a situation where it is impossible for any business relationship to be classified as high risk;
- the provisions of Directive (EU) 2015/849 or national legislation regarding situations that always present a high money laundering risk cannot be over-ruled by the firm’s weighting; and
- they are able to over-ride any automatically generated risk scores where necessary. The rationale for the decision to over-ride such scores should be documented appropriately”.
As regards the penultimate point mentioned above, it should indeed be stressed that, in accordance with Directive 2015/849, Articles 37 to 41 of the Anti-Money Laundering Law identify situations in which risks must always be considered high and which require the specific enhanced due diligence measures provided for therein to be implemented (see the pages dedicated to “Special cases of enhanced due diligence”). However, these special cases of enhanced due diligence still require an individual risk assessment taking account of all risk factors associated with the business relationship or occasional transaction, in particular to determine the appropriate intensity of the enhanced due diligence measures to be implemented to adequately manage and reduce these risks.
2.2. Classification of risks in risk categories
In line with the individual risk assessment, financial institutions should classify the business relationship or occasional transaction concerned in one (or more) risk categories specified following the overall risk assessment (see the page “Risk classification”), depending on the ML/FT risk level identified. Each business relationship or occasional transaction should thus be assigned a risk profile (high, standard or possibly low). The risk classification method established by the financial institution in its internal procedures should enable it to determine the appropriate scope of the measures of due diligence on business relationships and occasional transactions to be implemented in order to take account, where appropriate, of the different levels and nature of the ML/FT risks associated with the various products and services provided to the customer.
In this respect, it should be noted that financial institutions must ensure that they are able to modify the initial classification of a business relationship or transaction decided on by applying the internal procedures on the basis of the information initially collected at the start of the relationship, and that they can reclassify this business relationship or transaction in another risk category when they collect additional information in the context of the individual risk assessment that leads them to identify higher risks or risks of a different nature or, where appropriate, lower risks. While the initial classification should first and foremost reflect the risks inherent to the activities performed as identified in a generic manner in the context of the overall risk assessment, it should be possible for the specific analysis of the risk level presented by each business relationship or occasional transaction, taking into account all its characteristics and all specific information obtained in the context of the individual risk assessment, to lead to the reclassification of this business relationship or transaction from its initial risk category to another one that is more suitable for effectively reducing and managing specific and material ML/FT risks associated with this business relationship or transaction rather than generic and theoretical risks.
2.3. Implementation of appropriate due diligence measures
Following the individual risk assessment, financial institutions should define appropriate due diligence measures for adequately managing or mitigating risks.
By assigning a risk profile to a business relationship or occasional transaction and classifying it in one or more risk categories, the financial institution should be able to determine the level of due diligence (standard, enhanced, simplified) to be applied to the transactions carried out in the given situation, in accordance with the organisational framework defined by it (see the page “Policies, procedures, processes and internal control measures”) and, in particular, with its customer acceptance policy.
The due diligence obligations thus subject to the risk-based approach are mentioned in Article 19, § 1, and specified in Title 3 of the Law. While, under the previous Law of 11 January 1993, these obligations could often wrongly be assumed to be limited to identifying and knowing the customer (so-called “KYC” measures), the legal framework now makes clear that they comprise three separate components, each with its own regulations:
- the identification and identity verification obligations (detailed on the pages dedicated to this topic);
- the obligations to identify the customer's characteristics and the purpose and nature of the business relationship or occasional transaction (detailed on the page dedicated to this topic);
- the obligations of due diligence on business relationships and occasional transactions (detailed on the page dedicated to this topic).
3. Documentation and updates
Article 19, § 2, paragraph 3, of the Anti-Money Laundering Law stipulates that financial institutions should, in all cases (i.e. regardless of the risk level presented by a business relationship or occasional transaction), be able to demonstrate to the NBB that the due diligence measures applied by them are appropriate in light of the ML/FT risks they have identified.
Additionally, it should be noted that the individual risk assessment which financial institutions are required to perform with regard to each business relationship or occasional transaction under Article 19, § 2, of the Anti-Money Laundering Law, is not a one-off exercise but a continuous process. This risk assessment - where appropriate like the overall risk assessment - should be updated whenever one or more events occur that could have a significant impact on the risks associated with the given situation.
It is therefore advisable for each financial institution to describe the following in their internal procedures, which should be made available to the NBB:
- the methodology followed to perform the individual assessment of the risks associated with the business relationship or occasional transaction concerned.
In this regard, the internal procedure should describe the arrangements for the analysis of all information collected on the customer and the intended business relationship or occasional transaction in order to determine for each specific case which risk class defined following the overall risk analysis is appropriate (see point 3.2 below) to ensure that the most relevant due diligence measures are applied to the business relationship or the occasional transaction, taking into account its characteristics or special features (see point 3.3 below);
- the process for monitoring and timely updating the individual risk assessment process in order to ensure its permanent accuracy, including as regards existing customers.
This process should specify the measures to be implemented to identify events that could influence the individual assessment of the risks linked to each business relationship over the course of that relationship, so as to take note of them and, subsequently, start the process for updating this assessment.
To ensure that the individual risk assessments are still relevant, it could also be useful for the internal procedure, where appropriate in light of the activities performed, to provide for a periodic review of these assessments and of the information available on which they are based. The frequency of these reviews can differ according to the risk profile assigned to the business relationship concerned.
It is for each financial institution to determine these different frequencies based on its own experience, with a view to adequately managing ML/FT risks. However, by way of indication, when the business relationship requires continuously or regularly carrying out a large number of transactions with characteristics that could change significantly over time, the NBB considers that these periodic reviews should reasonably occur at least annually in case of high risks or even more frequently in case of particularly high risks (for example in case of reportings to CTIF-CFI), at least every three years for business relationships presenting a standard risk profile and at least every five years for business relationships presenting a low risk profile. However, it should be stressed that the frequencies that can be determined in the procedures constitute complementary precautionary measures that may not be invoked under any circumstances to justify not updating the individual assessment of the risks linked to a business relationship when events occur that could significantly influence this assessment.
In the case of life insurance contracts that do not require carrying out a large number of successive transactions and do not present high ML/FT risks, it may be more appropriate for the internal procedures to stipulate that the individual risk assessment should be reviewed when one of the events provided for in the internal procedures occur which cannot influence the individual assessment of the risks linked to the business relationship concerned in and of themselves, but which trigger the review process in order to ensure that this assessment is still relevant.
In this respect, the NBB also notes that the provisions of the Anti-Money Laundering Law not only apply to the business relationships or the occasional transactions which financial institutions conclude with new customers, but also - without a transitional period - to the ongoing business relationships entered into with customers before the entry into force of these new legal provisions. The NBB therefore expects financial institutions to reassess the business relationships they entered into before the entry into force of the Anti-Money Laundering Law, prioritising business relationships which were considered to present a high risk before this reassessment.
- to the page “Policies, procedures, processes and internal control measures” for more information on the internal procedures;
- to the page “Due diligence on business relationships and occasional transactions and detection of atypical facts and transactions” for more information on the obligation to update individual risk assessments.
Moreover, it is advisable to document the individual assessment of the risks linked to each business relationship or occasional transaction, including changes made to it as part of an update, in a written document or in the form of data stored on an IT system, so that they can be reconstructed unaltered at any moment and be made available to the NBB.
4. Internal control measures
Financial institutions are expected to periodically verify whether their internal procedures regarding individual risk assessments are complied with on an ongoing basis and whether the process for fulfilling the related updating obligation is adequate.
The NBB therefore urges the internal audit function to pay particular attention to:
- the adequacy of the risks factors considered by the financial institution and the weighting assigned to each factor in order to perform the individual assessment of the ML/FT risks associated with the business relationships or occasional transactions;
- the inclusion, in the assessment of the risks linked to a business relationship, of any diversity in the services and products offered in the context of this relationship and of the relevance of the separate assessment of the risks associated with each of these products or services;
- the adequacy of the updates of the individual assessments performed.